what's the significance of the add forward-server statement?
splunk add forward-server <host>:<port> -auth <username>:<password>
i'm documenting the forwarder install for some admins to read, and we previously had this step in there for a standalone deployment. i think we'll remove it though with our new distributed deployment.
according to the Answers and Docs it's optional, and i believe i'm hardcoding all the indexer addresses anyways in a forwarder package so it's not needed. it's just difficult for me to follow some of the docs because terminologies are used interchangeably and it sometimes becomes unclear.
The purpose of this CLI command is to add an indexer (or heavy forwarder) to outputs.conf - in a basic setup this is the CLI way to tell your forwarder where to forward to.
I know this is a super old thread but I was wondering if you could clarify:
i believe i'm hardcoding all the indexer addresses anyways in a forwarder package so it's not needed.
Do you have some documentation on this process?
Any help is appreciated.
The CLI command in question is used to configure receiving endpoint on Universal Forwarder. More info is available here. I am not sure if this is what you're looking for, but this definitely is a good starting point.
thankyou for the reply but i am specifically asking about hardcoding the indexer addresses in a forwarder package
In that case, you have to include outputs.conf with below settings, in your forwarder package.
## Syntax [tcpout-server://<ip address>:<port>] ## Example [tcpout-server://220.127.116.11:9997]
##Syntax: [tcpout:<target_group>] server = [<ip>|<servername>]:<port> ##Example: [tcpout:prod_indexer_group] server = https://yourIndexer1:9997, https://yourIndexer2:9997
Please have a look at my other answer for more details on above settings. HTH!